The Password Post-It Conundrum

7072008

Any of you who have worked in a cubicle-style environment will have noticed one of the biggest ironies of the Information Age. You walk around the office, checking out people’s computer monitors and nearly every single one has Post-It notes stuck to their edges. And, if you looked closely (I’m not advising you to do this, I’m just saying…), you’ll notice that a very high percentage of monitors have, on at least one Post-It, a sign-in password.

That’s right. Most people have the keys to unlock their computer, sitting right there on their computer. That’s like leaving your front door key inserted into the lock in your front door all of the time.

For those of us who don’t want to do that, we do something almost equally moronic — we attempt to use the same exact password for all of the sites that require a password. And that password is usually something like the name of your child, or your spouse’s birthday, or something else equally guess-able.

The reason why we do this is obvious — there are way too many sites that require passwords for us to remember them all. Many sites have arcane restrictions on them (“Must be 8 characters long, contain at least one number and one ampersand.”) and require you to change them every few months.

With the rise of identity theft, this isn’t a bad idea. But the plain truth is that most sites require passwords for monetary reasons, not security ones — in order to continue producing the site, most companies need to monetize it. And that means collecting data on you. The only way to do that effectively is to register people, so that they can track what you’re doing on the site. Then they can either sell something to you, or sell your eyeballs to an advertiser (well, not literally your eyeballs, but at least the information about what those eyeballs are looking at).

This leads us to the Information Overload Password Conundrum (or IOPC, a term I just made up).

People, who are generally unable to retain a variety of complex passwords, will do their best to make their passwords less complex and less varied.

This is a problem for institutions who really need to keep your data private — like banks, medical facitilities, research institutions, etc.

There are two initiatives that have been brewing to help to make this entire process both more secure and less intimidating for users.

The idea is to bring the concept of an identity card, like a driver’s license, to the online world. Rather than logging on to sites with user IDs and passwords, people will gain access to sites using a secure digital identity that is overseen by a third party. The user controls the information in a secure place and transmits only the data that is necessary to access a Web site.

There are a host of problems with this, of course, most notably the fact that the consortium will have to convince millions of web sites to trust the company behind the inititative — the metnioned “third party” — with the data that the sites’ users have entrusted to them. Personally, I don’t know how I feel about that. Is there a difference between a government Big Brother and a private industry one? We regularly hand over large amounts of our personal data to companies right now. About the only thing that keeps them from abusing that data too much is that it is fragmented between many companies.

Still, it’s a laudable start to our IOPC.

Another, more interesting one, came up in today’s “Bits” column in the New York Times. Called “More Personal Password Questions” the piece talks about a new inititative at the Palo Alto Research Center (which, as Xerox PARC, developed the icon-based user interface which is used on nearly personal computers today) called “Blue Moon Authentication.”

Named under the erroneous assumptiion that you only forget your password “once in a blue moon,” this technology is used to provide reliable, but difficult to crack, “fallback questions.” These are the questions that you need to answer when you’ve forgotten your password and need to either reset it, or have the website send you an email with that information. You choose from a list of questions: what was your first pet’s name?, where were you born?, what is mother’s maiden name?, etc.

The problem is that they are very hackable, especially to someone who can automate the responses (the Times even publishes a list of common pet names). PARC’s idea is

While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test. Forget about plumbing the depths of your brain; just be yourself. “It turns out very few people have a hard time remembering who they are,” [Markus Jakobsson, principal scientist at PARC] said.

The piece says that, in a study, the chance of someone not being able to remember the answers to those questions was near zero. No one knows, of course, what happens if you choose to dislike chocolate after liking it for many years. People change, though not as often as most sites require us to change our passwords.

Still, it is a step to solving our password problems, something that has been discussed for years. Now that we do much of our purchasing, banking, and investing online, it’s time to do something about it.

Related

Actions

Information

3 responses

7072008

matt(09:02:54) :

somewhere on the web there is a very informative website detailing how to maintain complex passwords on a post it while keeping it secure. the basic process is this: if you’re password is jdsjf938Hh, you write it on a post-it jdAsjfA938Hh and keep it in your brain that whenever you have a capital A, you don’t type it. works great.

And, yet, many people still worry about putting all of their password information (no matter how skimpy it is) up in the cloud. What your company has to worry about, encrypted or not, is the perception of a large percentage of net users (not unjustifiably) that hackers are really smart and that the only reason why they haven’t attacked any one given technology or site is if that site is too small to be worth the investment.

What people think is that if your company, god willing, gets big enough to attract serious notice and have millions of users, is that it will become a bigger target for hacking. And then all of that information that they’ve entrusted you with will fall into someone else’s hands.

I believe that these fears are, though overblown, with some basis in reality. But even if it were completely baseless, it would still be important to have a suite of solutions, not just one sitting up there in the cloud.

About Norman Hollyn

Norman Hollyn has been described as a “media expert,” a reference to his experience in a wide variety of media types – in both the old and new media worlds.

He is a long-time film, television and music editor (HEATHERS, THE COTTON CLUB, SOPHIE’S CHOICE, Oliver Stone’s WILD PALMS), and is Associate Professor and Head of the Editing Track at the University of Southern California’s School of Cinematic Arts. He is an author of nearly 100 articles and his book, THE FILM EDITING ROOM HANDBOOK, has been internationally translated. His new book, THE LEAN FORWARD MOMENT, comes out from Peachpit Press/Pearson in December.

He has taught worldwide, including several workshops for the Royal Film Commission in Jordan. He has taught at the Sundance Film Festival, and consults and speaks at major corporations such as Dreamworks Pictures and the Philadelphia Inquirer. He has worked as an expert witness in legal cases involving the aesthetics or history of editing, and is partner in an Internet development firm. He presently editing and co-directing a documentary about architecture called OFF THE GRID and editing an international long-distance collaborative documentary called RIVERS.